Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/3/2008
03:12 PM
Jim Manico
Jim Manico
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cookie-Cutter Security Doesn't Work: Report

It's all well and good to be concerned about information security and data breaches, but a one-size-fits-all approach may not be the best way to go.

It's all well and good to be concerned about information security and data breaches, but a one-size-fits-all approach may not be the best way to go.According to a report from the Verizon Business Risk Team (PDF), risk varies depending on your business' specific industry in terms of sources for attacks and their level of sophistication. Verizon analyzed four verticals and found:

1. Financial services: 56% of breaches came from outside of the organization, 41% from third parties (business partners), and 38% from inside of the organization.

2. High-tech services: 55% of breaches came from outside of the organization, 39% from inside of the organization, and 18% from third parties.

3. Retail: 84% of breaches came from outside of the organization, 36% from third parties, and 11% from inside of the organization.

4. Food and beverage: 80% of breaches came from outside the organization, 70% from third parties, and 4% from inside the organization.

The numbers within each vertical add up to more than 100 because many breaches involve multiple sources, the study explains, which goes on to point out that the tech services category was the only one that faced a bigger threat from within than from business partners: "It stands to reason that organizations in this industry likely employ a high percentage of tech-savvy staff and grant them high levels of access to numerous systems. Unfortunately, some find that access to sensitive and valuable resources is a temptation too hard to resist. Facing similar temptations, insiders in the Financial Services industry were behind a large proportion of breaches as well." Along the same lines, the most sophisticated of attacks are happening within the tech and financial services markets, though a bird's eye view of all four markets points to low-difficulty attacks being the culprit at the majority of firms. Another finding: how widespread errors (mostly indirect) contribute to systems being compromised. Hacking was also a major culprit, though in financial services deceit and misuse (using granted resources and/or privileges for any unauthorized purpose) was cited more frequently.

The report breaks down plenty more info, including how attackers are getting in, what kinds of information they're after (three words: payment card data), and the life cycle of a breach. Granted, there's much to take in, but the drilldown exercise that Verizon performed is one you should do for your business as well.

According to Bryan Sartin, a contributor to the report who also spoke with Dark Reading, employing a generic risk calculation, such as the likelihood of insider threats, may be a mistake unless industry-specific factors are accounted for. Although there are many studies and calculators that discuss trends in security attacks, very few of them break their data down by industry, and that breakdown may be crucial to accurately calculating risk in a particular enterprise, he added.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
CVE-2020-27255
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the b...
CVE-2020-25651
PUBLISHED: 2020-11-26
A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest...